Privacy Policy

The data controller within the meaning of Art. 4(7) GDPR is:

Ali TaheriAzandaryani
Langewiesenweg 7
69469 Weinheim, Germany
Email: privacy@healtown.net
Website: healtown.net

A Data Protection Officer (Datenschutzbeauftragter) is not obligated under Art. 37 GDPR for the current scale of processing. Data protection enquiries may be directed to the controller at the contact details above.

Terms used in this policy have the same meaning as defined in Art. 4 GDPR. In particular: "personal data" means any information relating to an identified or identifiable natural person; "processing" means any operation performed on personal data; "data subject" means the identifiable natural person to whom personal data relates.

Account management

To create and manage your user account, authenticate you, and provide access to the Platform. Legal basis: performance of contract — Art. 6(1)(b) GDPR.

Booking & payment processing

To confirm Bookings, process payments via Stripe, manage payouts to Providers, and handle refunds. Legal basis: performance of contract — Art. 6(1)(b) GDPR.

Notifications & email communications

To send booking confirmations, receipts, session reminders, and account alerts. Legal basis: performance of contract — Art. 6(1)(b) GDPR.

Identity verification (Providers)

To verify Provider identity via DiDit KYC to reduce fraud risk. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — protecting platform integrity and Client safety; additionally Art. 9(2)(a) GDPR for biometric data.

Credential verification (Providers)

To review and store professional certificates. Legal basis: legitimate interest — protecting Clients from unqualified practitioners — Art. 6(1)(f) GDPR.

In-app messaging

To facilitate communication between Clients and Providers. Legal basis: performance of contract — Art. 6(1)(b) GDPR.

Platform security & fraud prevention

To detect and prevent fraudulent, abusive, or illegal activity. Legal basis: legitimate interest — Art. 6(1)(f) GDPR.

Legal compliance

To retain accounting, tax, and transaction records as required by German law (§ 147 AO, § 257 HGB — 6/10 year retention). Legal basis: legal obligation — Art. 6(1)(c) GDPR.

Marketing communications

To send promotional emails, platform updates, or feature announcements. Legal basis: consent — Art. 6(1)(a) GDPR; or, for existing Clients, § 7 Abs. 3 UWG (legitimate interest in direct marketing of own similar services). You may opt out at any time.

Improving the Platform

Aggregated, anonymised usage analysis to improve platform features. Legal basis: legitimate interest — Art. 6(1)(f) GDPR.

We do not sell personal data. We share data only as necessary and under binding data processing agreements (Art. 28 GDPR) with the following third parties:

The primary processing of personal data takes place within the European Economic Area (EEA). Where data is transferred to third countries (notably the United States, for Stripe), Healtown ensures that such transfers are subject to appropriate safeguards pursuant to Art. 46 GDPR, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU).
• Adequacy decisions where applicable.
• Binding Corporate Rules or other approved transfer mechanisms.

A copy of the applicable transfer safeguards may be requested at privacy@healtown.net.

Account data

Retained for the lifetime of the account. Upon closure, account data is deleted or anonymised within 90 days, subject to legal retention obligations below.

Transaction records

10 years from the transaction date pursuant to § 147 AO (German Tax Code) and § 257 HGB (German Commercial Code).

Booking records

7 years from the date of booking for tax and accounting purposes.

Identity verification

Verification result (Approved/Declined) retained for the duration of the Provider account. Raw biometric data is processed and deleted by DiDit per their policy.

Professional credentials

Retained while the Provider account is active. Deleted within 90 days of account closure.

Server logs

14 days rolling retention. Anonymised thereafter for security analysis.

Messages

Retained for 3 years after the associated Booking to enable dispute resolution. Deleted thereafter unless subject to an active legal hold.

Marketing consents

Until consent is withdrawn or the account is closed.

Right of access (Art. 15)

Receive confirmation of whether we process your personal data and, if so, a copy of it.

Right to rectification (Art. 16)

Have inaccurate personal data corrected or incomplete data completed.

Right to erasure (Art. 17)

Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations and ongoing contractual necessity.

Right to restriction (Art. 18)

Restrict processing of your data where you contest its accuracy, object to processing, or we no longer need it but you require it for legal claims.

Right to portability (Art. 20)

Receive your personal data in a structured, machine-readable format (where processing is based on consent or contract and is automated).

Right to object (Art. 21)

Object at any time to processing based on legitimate interest (Art. 6(1)(f)), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent (Art. 7)

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.

Automated decision-making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Healtown does not currently make such decisions.

Right to complain (Art. 77)

Lodge a complaint with the competent supervisory authority. The authority for Baden-Württemberg is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart, poststelle@lfdi.bwl.de.

The Platform uses cookies and similar storage technologies. Pursuant to § 25 TTDSG (implementing the EU ePrivacy Directive), we only set cookies requiring consent after obtaining your explicit agreement.

For full details, see our Cookie Policy. You can withdraw cookie consent at any time via the cookie settings link in the footer.

Healtown implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• TLS encryption for all data in transit (HTTPS enforced).
• Hashed password storage (bcrypt/Argon2 via Supabase Auth — plaintext passwords never stored).
• Row-Level Security (RLS) on all database tables ensuring Users can only access their own data.
• Access-controlled storage for Provider credential documents.
• Webhook signature verification for all third-party integrations (Stripe, DiDit).
• Regular server security updates and access log monitoring.
• Principle of least privilege for internal data access.

No method of data transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it responsibly to privacy@healtown.net.

In the event of a personal data breach that poses a risk to data subjects' rights and freedoms, Healtown will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected data subjects without undue delay where required (Art. 34 GDPR).

The Platform is not directed at persons under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we become aware that a person under 16 has created an account, we will delete their data promptly. If you believe a child has registered, please contact us at privacy@healtown.net.

Healtown may update this Privacy Policy from time to time. Where changes are material, registered Users will be notified by email at least 30 days before the new version takes effect. Minor clarifications may be made without notice. The current version is always available at healtown.net/privacy. Continued use of the Platform after the effective date of an updated policy constitutes acceptance.